Response to screen scraping - policy and regulatory implications discussion paper
Tiimely supports a regulated transition away from screen scraping. However, it will be essential that the interests of competition be the guiding principle in determining the timing for a mandated transition to the CDR for designated sectors. Policy decisions should be based on a real-world comparison of the present viability of the CDR vs screen scraping for sector participants and advice from the ACCC on the potential effects on competition of a mandated transition.
March 04, 2024
By Jodi Ross
Jodi Ross has been involved in the Consumer Data Right and Open Banking in Australia since the early days of implementation in 2018, where she led the development of the CDR rules at the ACCC and then Treasury. From 2021, Jodi has worked on CDR implementation within the fintech sector, as Regulatory and Compliance Lead for TrueLayer in Australia and now as Tiiimely's Head of Regulatory Affairs and Compliance.
Current screen scraping practices
Tiimely's platform provides digital end to end home loan origination, with human involvement where required. Validation of a customer's financial position is an essential component of this process, reflecting responsible lending regulatory requirements, andis a key factor affecting loan affordability and serviceability outcomes. Information about a customer's financial position is collected with the customer’s consent in the form of bank account and transaction data currently via two options: screen scraping (provided by third party service providers) or upload of bank statements which are then digitised using OCR (optical character recognition) technology.
These methods of data collection enable real-time financial validation to occur as part of the digital home loan application process through enrichment and automation of credit decisioning. Data collection via either method occurs on a one-off basis.
In Tiimely’s experience, around 60-70% of consumers elect to use screen scraping to provide bank account transaction data. This is offered during the online application process and the customer is presented with a simple consent process to enable collection of banking credentials through the steps listed below (detailed information about the screen scraping process is also provided on the Tiimely Home website):
- Customer selects their financial institution
- Customer enters the credentials for their financial institution
- Upon successful login, customer is shown accounts
- Customer can then opt to finish and submit application or link another financial institution.
Risks relating to screenscraping
Tiimely has been using screen scraping to support digital home loan origination since 2017 and has not experienced any instances of unauthorised access to or misuse of customer credentials. Tiimely is also not aware of any issues of concern having occurred within the fintech industry more generally.
Current comparability of CDR to screen scraping
Tiimely considers that the CDR consumer data APIs² are not presently a viable alternative to screen scraping to support financial services use cases.
There are a range of reasons for this despite there being genuine demand-side interest in using the CDR in the financial services sector and acknowledgement of the potential benefits of use of the CDR.
The CDR has significant potential advantages over screen scraping in terms of:
- enhanced privacy (and security) through data minimisation and increased customer transparency and control;
- enhanced security for consented data sharing through authentication methods that do not require sharing of login credentials;
- more efficient and reliable access to consumer data through standardised APIs which offer increased resiliency, availability and retrieval speeds for consumer data in a standardised machine-readable format; and
- API-based access to consumer data across an increasing range of sectors to encourage R&D and innovation.
Despite these potential advantages, there are several areas where the CDR is not comparable to screen scraping.
² For the purposes of this submission, our commentary is focussed on the viability of consumer data compared to screen scraping and excludes consideration of CDR product data.
Data quality
Tiimely does not consider there to be wholesale issues with CDR data quality but rather discrete issues with data consistency and coverage that require rectification to be comparable with screen scraping. For example, there are a number of financial institutions that still have data sharing exemptions in place. In addition, a particular advantage of screen scraping is that the scraped data is the same data that customers see in their online banking portals. Financial institutions go to great lengths to ensure this data is highly accurate.
To be a viable alternative to screen scraping, a similar level of quality and rigour needs to be applied to CDR APIs to ensure equivalence and reliability and thereby to increase industry and consumer confidence. Consumer confidence is an important consideration here because consumers will expect that the data they consent to share via the CDR (and which informs important outcomes such as credit assessments) reflects what they can view in their banking portals and is up to date and accurate.
Non-functional experience
The CDR consent flow needs to be simplified to provide consumers with an experience that meets their expectations for digital services while also allowing for an appropriate level of positive friction.Tiimely welcomes the recent consent design paper proposals but suggests that further adjustment of the CDR rules isrequired to address over reliance on consent to authorise uses and disclosures of CDR data and to allow greater flexibility for ADRs to develop consent flows within the guardrails of the CX standards and guidelines.
The ‘derived data’ problem
The prescriptive regulation of the use and disclosure of CDR data (and all data derived from that data)does not easily accommodate existing use cases like digital lending which were intended to drive CDR uptake and increase competition in financial services. The bespoke privacy regime in the CDR creates a barrier to entry and an uneven playing field for businesses that choose to transition to the CDR compared to those that do not and who remain subject to the Privacy Act. This is inconsistent with the competition objective at the heart of the CDR and needs to be addressed as soon as possible with the Privacy Act reform process now nearing completion.
The CDR regulatory framework has been largely designed on the basis of a simple paradigm of an ADR that collects CDR data from a data holder and uses that data to provide a product or service to a consumer. This does not reflect the complex nature of the supply chains that exist in the digital economy and that data is usually a key input into the provision of a product or service rather than the service itself.
Taking the Tiimely platform as an example, financial transaction data is an essential input into the credit assessment of whether a home loan can be responsibly offered to a customer. This assessment is one element of the white-labelled home loan origination process that involves a chain of businesses performing different functions covering product marketing and distribution by brand owners, application/credit assessment, funding of the product, and a range of third-party services (including cloud storage and cyber security, insurance, digital identity verification and mortgage documentation/settlement services).
Because of the derived data rules, even the amount of a home loan can be classified as derived data and as such transitioning to the CDR involves the complex task of determining how a simple data point such as a loan amount can be disclosed to and used by relevant participants in the origination process in compliance with the CDR rules. A greater level of flexibility needs to be provided in the CDR regulatory framework in terms of use and disclosure of data so that existing use cases can transition to the CDR without imposing a cost burden³ that is commercially unviable (particularly in the current market conditions)and which will adversely impact future competition and innovation in the financial services sector.
The current uncertainty around the application of the CDR regulatory framework to machine learning models is a further example of a barrier to transitioning to the CDR. Development of machine learning models has been a key driver of the efficiencies and innovation created by fintechs and has increased competition and created consumer benefits in the financial services sector. Under the CDR, machine learning models will need to use both CDR data and derived CDR data for training, testing and calibration purposes and with varying levels of anonymisation or de-identification.
There is a lack of clarity about the application of the CDR regulatory obligations in these circumstances including consent requirements and in relation to ‘right to delete’ obligations (deletion of data used to train models can impair the integrity of the model). Just as the proprietary value of data created by data holders was recognised by the CDR with the ‘materially enhanced’ exclusions from mandatory data sharing, the CDR regulatory regime should accommodate the proprietary models and datasets created by fintechs which support continued competition and innovation in the financial services sector.
³ The compliance/cost burden exists at the accreditation stage and on a continuing basis to maintain accreditation and compliance with CDR obligations which due to their complexity often require use of external advisors and consultants. These costs are significant and presently outweigh the potential advantages of using CDR data described above.
Banning of screen scraping where CDR is a viable alternative
Tiimely supports a regulated transition from screen scraping to the CDR provided that the transition plan is developed having regard to a comprehensive assessment of the CDR as a viable alternative to screen scraping, ideally by the ACCC in its capacity as competition regulator. This assessment should consider the current viability of CDR compared to screen scraping and the likely effects on competition in financial services if a mandated transition were to occur. This assessment would provide the appropriate and evidence-based foundation to determine a transition date and the appropriate milestones for a transition plan to ensure that any issues affecting viability are addressed as preconditions to the transition taking effect.
Tiimely suggests that any comparison assessment focus on key use cases (such digital home loans and personal/business lending, SME use of cloud-based accounting software, personal financial management applications) and involve real-world testing⁴ of the functional and non-functional aspects of CDR vs screen scraping. This would include API and payload testing, comparative testing of consumer experience with consent processes and assessment of the extent to which the CDR regulatory framework accommodates use cases in a practical and efficient manner.
This ‘like for like’ comparison would illustrate the current gaps and would inform a forward action plan and an appropriate transition timeline.Importantly, an assessment based on key use cases would not need to involve every possible data field available under CDR and could focus on the essential data points required to support those use cases.
Industry could play an important role in providing the evidence for a comprehensive comparison assessment. One limitation here is that it is not currently possible for a business to test transitioning to the CDR because of the need to be fully compliant with the derived data rules prior to testing commencing.
This ‘all or nothing’ approach means that evidence gathering would be confined to those businesses that have already fully transitioned to the CDR and therefore will not provide a sufficient evidence base for comparative analysis. A regulatory sandbox could solve this problem to enable data to be collected from real-world testing with industry participants.
Access to the sandbox could be based on a competitive selection process, with certain eligibility requirements such as unrestricted accreditation, complemented by some temporary and limited exemptions being provided in relation to application of the derived data rules to support testing with key use cases.
⁴ The API testing undertaken by the Financial Conduct Authority in the UK prior to the ‘ban’ on screen scraping taking effect provides a relevant precedent.
About Tiimely
Tiimely is a privately owned Australian technology company founded in 2015 providing digital home loan application, assessment, and approval services to customers in Australia since 2017. Tiimely also provides both Software as a Service (SaaS) and Platform as a Service (PaaS) product offerings to the financial service industries in Australia and New Zealand. The platform’s PaaS offerings, and Tiimely’s own retail home loans, are funded by Bendigo and Adelaide Bank Limited’s white label program. Through its in-house broker service, Tiimely also offers customers access to loans via approved lenders on the AFG panel. Tiimely’s platform now touches around 3%¹ of the Australian mortgage market and is licensed by 2 of Australia's 6 largest banks, ASX Top 100 listed companies, fintechs, brokers as well as its own in-house retail business.
Tiimely has been a keen supporter of the CDR since its inception and was granted unrestricted accreditation as a data recipient (ADR) in March 2023. Tiimely is actively progressing the transition of its platform to CDR data ingestion, commencing with supporting SaaS customers' use of CDR as an accredited outsourced service provider.
¹ Market share data sourced from Equifax/Tiimely and based off current credit enquiry numbers.